Transcription
A MATURITY MODELData Analytics-Enabled Auditingthrough Continuous Assurance ofEnterprise Risk ManagementJanuary 16, 2013
Agenda Evolving world of Big Data and Analytics Why have Audit Data Analytics and Continuous Auditing in InternalAudit not been radiated or sustained?– What have been the challenges? A Hypothesis: Modifying the Audit Methodology will Manage Changeand help transform the audit function Audit Methodology Reference Model Q&A 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 1444551
Analytics Waves Follow Reporting WavesWhat willhappen?PredictionWhat ishappening?MonitoringWhy didit ��s 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 144455StatisticsDashboards Data miningScorecards Optimization2000’s2010’sSource: TDWI2
A Major Talent Gap is Expected1. Data have swept into every industry andbusiness function and are now animportant factor of production2. Data generates value by creatingtransparency, enabling experimentation,segmenting populations to customizeactions, automatically replacing humandecisions, and innovating businessmodels, products, and services3. The use of Big Data is becoming a keyway for leading companies to out-performtheir peers4. The use of Big Data will lead to newwaves of productivity and improveefficiency and effectiveness , enablingorganizations to do more with less5. Certain sectors are poised for greatergains than others through the use of BigData – these include Healthcare, PublicSector, US Retail, and Manufacturing6. There will be a shortage of talentnecessary for organizations to takeadvantage of Big Data7. Several issues will need to be addressedto capture the full potential of Big Data,such as data policies, industry structure,and organizational change 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 1444553
Continuous Risk Assessment toVerification of Risk ManagementPoor of costcontrolUnethical SourcingLoss of MajorVendor Due toFinancialDifficultiesLost or inaccurateorder entered intosystemPoor systemmaintenanceInefficient productcapacityFailure to achievegross marginBribery andCorruptionProduct featuremismatch r ProcessRisksSub ProcessProduct Failure2. Dynamic Audit PlanningTransportationFailure1. Continuous Risk AssessmentProcurement PlanningVendor SelectionPurchasing4. Verification of Risk Management 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. Allrights reserved. 26125NSSVendor Performance ManagementAudit entity prioritizationQuality AssurancePerform planning and budgetingManage FinancialResourcesAudit Exec. DashboardProcurementReceivingPerform revenue accountingPerform management reportingManage fixed assets3. Audit Execution
Value of Data Analytics-Enabled Internal Auditing1.Identify the “right” audits to perform (coverage focus) 2.Increase the number of audits performed per year (coverage breadth) 3.Currently it takes three years to audit every auditable entity, how do we decrease that cycle time toevery two years?Increase the frequency of audits of key risk areas (coverage frequency) 5.How do we increase the number of audits performed per year from 30 to 40 without adding hours orFTE?Decrease the time required to cycle through the audit universe (coverage efficiency) 4.If only 30 audits can be performed a year, how do we know which 30 audits to perform (i.e., whichare the “riskiest” audit areas)?Currently we can only audit key risk areas every other year, how can we audit them every year?Increase the scope of specific audits (coverage depth) Currently we can only focus audits on two or three key areas of risk and test a sample oftransactions, how can we audit five to 10 areas of risk (e.g., including fraud, inefficiencies, andregulatory non-compliance) and cover 100% of the transactions? 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 1444555
Data Analytics/Continuous AuditingImplementation (and Sustainability) ChallengesGeneral Determining and establishing consensus on objectives and success criteria. Measuring and demonstrating success. Limited resources (technology and human know how).Data Availability and Quality Lack of access to data. Disparate information systems with different data formats. Incomplete data sets, inconsistent data quality. Data privacy/security issues to navigate.Data Analytics Inability to effectively leverage data analytics to achieve audit objectives. Definition of “exception;” addressing “false positives” and “false negatives. Workflow around exception resolution; managing volumes of exceptions.Change Management Managing impact of CA/DA processes on auditors and other business processes. 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. Allrights reserved. 26125NSS6
Audit Methodology-based Maturity ModelMaturity LevelsIAMethodologyLevel ITraditionalAuditingLevel IILevel IIILevel IVLevel VAd HocIntegratedAnalysisContinuous RiskAssessment &ContinuousAuditingIntegratedContinuousAuditing &ContinuousMonitoringContinuousAssurance ofEnterprise RiskManagementStrategicAnalysisEnterprise RiskAssessmentInternal AuditPlanDevelopmentExecution andReportingContinuousImprovementData Analytics are generally notusedData Analytics are partiallyused but are sub-optimized 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 144455Data Analytics are effectively andconsistently used (optimized)7
Audit Methodology: Strategic Analysis and EnterpriseRisk Assessment PhasesInternal Audit DataTraditional AuditingAnalytics andPerform relatively fewanalytics on an adContinuous AuditingMaturity Modelhoc basis1. Strategic Use ofAnalysismanagement1.1 Understandreportsthe business Limited use of1.2 Stakeholderdescriptive dataNeeds Analysisanalytics1.3 Perform an Understand theEnterprise Riskbusiness and verifyAssessmentresults ofmanagementconsultations(Annually)Ad Hoc IntegratedAnalyticsIntegrated into workplan to achieveaudit objective Extensive use ofmanagementreports Underlying datafor expanded useof descriptivedata analytics(i.e.,benchmarking) Understand thebusiness andverify results ofmanagementconsultations(Annually)Continuous RiskAssessment &Continuous Auditing Repeatable andsustainablePredefined analytics(i.e., internal andexternal benchmarking)to identify and prioritizerisks based on changesin the businessReview protocolsestablishedAutomated ETL,analytics andreportingIntervals of ERAIntegrated ContinuousAuditing & ContinuousMonitoringContinuously auditing thecontinuous monitoring function Leverage Managementsystems to enable continuousassessment and prioritizationof business risks Management providescontinuous insight to businessrisks (both internal andexternal) System generated analyticsand dashboards monitoredby the business Specified strategic risk criteria,risk capacity and impact andlikelihood analysis.Continuous Verification ofEnterprise RiskManagementEnd objective of all audit work Leverage management's 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 144455Continuous Monitoringprocesses by aggregatingthe output to extractenterprise insights about therisk management processesLinking the company'sstrategic objectives withrisk managementpracticesStrategic objectives andrisks are updated andmonitored on a continuousbasisSystem generated analytics& dashboards monitored bythe enterprise.IA Plan is dynamic andable to react to changes inthe business8
Audit Methodology: Audit Plan Development PhaseInternal AuditData AnalyticsTraditional Auditingand Continuous Perform relatively fewAuditing Maturity analytics on an ad hocModelbasis2. Internal Audit Data Analytics arePlannot utilized toDevelopmentdevelop the audit2.1 Identify andplanPrioritize Areas Discuss concernsof Focuswith management2.2 Determineand review priorAssuranceyear audit planAppetite and Assurance map andCoveragetraditional audit plan2.3 Develop IAPlanAd Hoc IntegratedAnalyticsIntegrated into workplan to achieve auditobjective High levelquantitativemeasures(financial statementtrends, industrybenchmarking) –(Annually) Review prior auditobservations,internal andExternal Audits with simpleanalyticsincorporatedContinuous RiskAssessment &Continuous Auditing Repeatable andsustainableMonitor quantitativeand qualitativemeasures to ensurethey are aligned withpriority businessrisks (Quarterly/Monthly).Refined assurance ofrisk appétit andcoverage usingtechnology atdetermined timeintervalsNear real-timeconsideration of impactrelated to regulatoryand environmentaleventsData analyticsenabled audit plan 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 144455Integrated ContinuousAuditing & ContinuousMonitoringContinuously auditing thecontinuous monitoring function Leverage businessintelligence and continuousmonitoring to evaluatebusiness results and risks. Leverage the businessmonitoring to identify audittrigger events and reprioritize risks on acontinuous (monthly) basis. Refined assurance of riskappétit and coverage usingtechnology at determinedtime intervals System generated dataanalytics are from with thebusiness unit Analytic enabled plan isdynamic and updated on acontinuous basis.Continuous Verification ofEnterprise Risk ManagementEnd objective of all audit work Enterprise and process risks are monitored using businessintelligence and continuousmonitoring techniques.Data analytics, risks andperformance indicators arecontinuously reconciled to theEntity's Strategic businessobjectives (monthly).Refined assurance of risk appétitand coverage using technology(monthly)Prioritize Strategic goals usedto drive audit plan which isdynamic and updated on acontinuous basis.9
Audit Methodology: Execution and Reporting PhasesInternal AuditData Analyticsand ContinuousAuditing MaturityModel3. Execution andReporting3.1 ProjectArchitecture3.2 ProcessAnalysis3.3 Measure andAnalyze3.4 ReportingTraditional AuditingPerform relatively fewanalytics on an adhoc basis Data Analyticsare not utilized todrive the executionof the audit plan intraditional auditing Interview processowners to gain anunderstanding ofthe process,identifying risksand controls Control testing andinvestigation ofexceptions andobservations.Continuous RiskAssessment &Continuous AuditingAd Hoc IntegratedAnalyticsIntegrated into workplan to achieve auditobjective Ad hoc dataanalytics to identifyoutlyingtransactions or toassist in scopingthe audit. Review of e andrisk indicators. Consideration forsampling, dataanalysis, and sixsigma techniques toreach the auditobjective. Audit program isflexible andbalances increasescope coverageand efficiencies. Repeatable andsustainableData is readilyavailableKey business processeshave automatedanalytics ready for theauditor during planningto scope and focus auditefforts.Dependencies on IT areminimal given theavailability of data andpre-packaged analytics.Data analytic enabledaudit programs 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo areregistered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 144455Integrated Continuous Auditing& Continuous MonitoringContinuously auditing thecontinuous monitoring function Leverages the businessmonitoring and independentlyperforms analysis to identifytrends and prioritize areas tofocus audit efforts. IA is connected to the samedata and reporting asmanagement and assessesthe quality of the data and theanalytics monitored by thebusiness. Audit programs are aligned anddynamically created from KPIs,KRIs, and audit trigger results. Automated Auditingtechniques achieve severalaudit objectives based on"exception" auditing.Continuous Verification ofEnterprise RiskManagementEnd objective of all audit work Business monitoring and audit's procedures rely onthe same technology.Procedures verifying theunderlying data analysisand reporting at thebusiness level are alignedwith the strategicobjectives.Audit scope is fluid,focusing on root causeanalysis and management'seffectiveness at monitoringand responding to risks.Audit programs focus onrisk management practicesbacked by analytical depthtowards risk managementpractices.Automated auditing isfocused onmanagement’s responsesto business anomaliesand trigger events.10
Data Analytics-Enabled Audit Program Guides (APGs)ERM/ERA – Risk LibrariesVendors and Third Party ContentAdvisory Base Processes - ToolkitData Analysis examples,KPMG libraries, repositories, etc. 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. Allrights reserved. 26125NSSStandard APGsData Analysis Enhanced APGs
Examples: Order to CashBusiness RisksTraditional ProceduresA. Customer information is notaccurate resulting inincorrect shipmentsA. Confirm that recentadditions and edits to thecustomer master file agreeto supportingdocumentationB. Customers credit is notmonitored increasing creditriskB. Confirm the credit managersign offs on the weeklycredit reportC. Payments are processedincorrectly leading toinaccurate customerbalancesC. Unapplied cash ledgerreconciles to the GL 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. Allrights reserved. 26125NSSData Analytics ProceduresA1. Identify duplicate customerrecordsA2. Identify missing or incorrectkey valuesA3. Count undeliverable and/orre-shipmentsB1. Identify customers overtheir credit limit with newordersB2. Identify invoices greaterthan 360 day that are notwritten offC1. Identify and count thenumber of cash repostings(i.e., cash betweencustomers)C2. Trend the age between dateof cash receipt date ofcustomer posting
Examples: Procure to PayBusiness RisksTraditional ProceduresA. Discounts may be missedcausing a decrease in cashflow.A. Sample invoices fromsuppliers offering discountsand confirm discounts weretaken.B. Goods received may beincorrectly recorded andresult in incorrect inventoryquantities.C. Payment terms may not beconsistent with companyterms and policies.B. Confirm that receivingrecords agree to purchasingand packing list documentsC. Sample payments andconfirm paymentsprocessed according tosupplier contract terms 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. Allrights reserved. 26125NSSData Analytics ProceduresA1. Summarize vendors anddiscounts takenA2. Identify invoices enteredmore than 30 days afterinvoice dateB1. Identify receipts without aPO and profile the resultsby vendor or personnelB2. Identify PO’s created on thesame day as receiptC1. Summarize vendor masteron Payment TermsC2. Calculate paymentsprocessing timing andcompare to vendor masterpayment terms
Contact DetailsJim LittleyKPMG LLP(267) 256-1833jlittley@kpmg.comwww.kpmg.com
All information provided is of a general nature and is not intended to address the circumstances of any particularindividual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee thatsuch information is accurate as of the date it is received or that it will continue to be accurate in the future. No oneshould act upon such information without appropriate professional advice after a thorough examination of theparticular situation. 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMGInternational Cooperative (“KPMG International”). NDPPS 144455
Change Management Managing impact of CA/DA processes on auditors and other business processes. . Maturity Model Traditional Auditing Ad Hoc Integrated Analytics Continuous Risk Assessment & Continuous Auditing Integrated Continuous Auditing & Continuous Monitoring Continuous Verification of Enterprise Risk Management
